SECURITY. Risk & Compliance Services

Similar documents
Cisco Security Optimization Service

Information Security Services

Defending Against Data Beaches: Internal Controls for Cybersecurity

Information Security and Risk Management

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

The Value of Vulnerability Management*

Enterprise Computing Solutions

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Security Controls What Works. Southside Virginia Community College: Security Awareness

Chapter 1 The Principles of Auditing 1

Cybersecurity and internal audit. August 15, 2014

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

White Paper. Information Security -- Network Assessment

Cyber Incident Response

Information Security Office

Attachment A. Identification of Risks/Cybersecurity Governance

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Cisco Advanced Services for Network Security

Information Technology Security Review April 16, 2012

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

Security. Security consulting and Integration: Definition and Deliverables. Introduction

I n f o r m a t i o n S e c u r i t y

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

The Protection Mission a constant endeavor

About This Document. Response to Questions. Security Sytems Assessment RFQ

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Managing IT Security with Penetration Testing

Enterprise Security Tactical Plan

The Business Case for Security Information Management

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

IT Security & Compliance Risk Assessment Capabilities

AUTOMATED PENETRATION TESTING PRODUCTS

TRIPWIRE NERC SOLUTION SUITE

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Security aspects of e-tailing. Chapter 7

Business Continuity Plan

HIPAA Risk Analysis By: Matthew R. Johnson GIAC HIPAA Security Certificate (GHSC) Practical Assignment Version 1.0 Date: April 12, 2004

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

Practical Guidance for Auditing IT General Controls. September 2, 2009

Effective Software Security Management

Incident Response. Proactive Incident Management. Sean Curran Director

Critical Controls for Cyber Security.

Virginia Commonwealth University School of Medicine Information Security Standard

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

VENDOR MANAGEMENT. General Overview

OCIE CYBERSECURITY INITIATIVE

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Information Security for the Rest of Us

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

Cisco SAFE: A Security Reference Architecture

Click to edit Master title style

PENETRATION TESTING GUIDE. 1

Defending the Database Techniques and best practices

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

GEARS Cyber-Security Services

Microsoft Services Premier Support. Security Services Catalogue

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Exam 1 - CSIS 3755 Information Assurance

(Instructor-led; 3 Days)

Professional Services Overview

Office of Inspector General

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Cyber Security Metrics Dashboards & Analytics

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

THE TOP 4 CONTROLS.

Jumpstarting Your Security Awareness Program

The Security Organization p. 1 Anecdote p. 2. Introduction

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

How a Company s IT Systems Can Be Breached Despite Strict Security Protocols

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

Data Management & Protection: Common Definitions

Alcatel-Lucent Services

External Supplier Control Requirements

IT Security & Compliance. On Time. On Budget. On Demand.

CORE Security and GLBA

NERC CIP VERSION 5 COMPLIANCE

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

SHARING BEST PRACTICES IN INFORMATION SECURITY PREVENTION TIPS & RESPONSE TECHNIQUES

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

Transcription:

SECURITY Risk & Compliance s V1 8/2010

Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize risk, improve operational efficiency, and satisfy regulatory mandates. We will provide your organization with metrics needed to make critical business decisions on where to spend valuable time and money protecting your assets while maintaining industry-best practices and regulatory compliance. Features & Benefits Features & Benefits Approach Approach Key Deliverables Key Deliverables Requirements Requirements TRACE3 Trace3 Security s provide provide the following the following features features and benefits: and benefits: Provides your management team team with with a rapid a rapid top top down- down- big picture big picture of current of current security security posture. posture. Proactively identify possible or potential security risks, or vulnerabilities, that may allow access to Proactively confidential identify areas of possible a network, or allow potential a denial security of service risks, to be or vulnerabilities, performed, or obtain that information may allow access from your to confidential network. areas of a network, allow a denial of service to be performed, or obtain information This exercise from will produce your network a deliverable cataloguing potential vulnerabilities in the environment This and exercise outline a will remediation produce strategy a deliverable to resolve cataloguing the identified potential issues. vulnerabilities in the environment Benchmarks current and outline environment a remediation against industry strategy best to resolve practices. the identified issues. Benchmarks current environment against industry best practices Reveals and quantifies network infrastructure weaknesses and provides both tactical and Reveals strategic and opportunities quantifies network to remedy infrastructure these weaknesses. weaknesses and provides both tactical and strategic opportunities to remedy these weaknesses. Identifies risks to the confidentiality, integrity and availability of information and information Identify systems. and understand risks to the confidentiality, integrity and availability of information and information systems. Provide recommendations for gaps in policy by strengthening of current policy or addition of Provide new policies. recommendations for gaps in policy by strengthening of current policy or addition of new policies. Trace3 will gather and organize the data necessary to make informed conclusions and TRACE3 will gather and organize the data necessary to make informed conclusions and recommendations through on-site interviews, walkthroughs, asset inventories, device configuration recommendations review, document review, through and on-site hands-on interviews, equipment walkthroughs, evaluation. All asset areas inventories, of the network device configuration infrastructure review, can be reviewed document including review, WAN/LAN and hands-on protocols equipment and topology, evaluation. operating All systems, areas of routing the network and switching, infrastructure remote/internet can be reviewed connectivity, by including cabling, and WAN/LAN network/systems protocols management and topology, tools. Within operating these areas, systems, Trace3 routing will focus and on switching, security posture remote/internet as it relates to connectivity, People, Process cabling, and and Technology network/systems in accordance management with best practices. tools. Within these areas, TRACE3 will focus on security posture as it relates to People, process and Technology in accordance with best practices. Security s delivers the following: Security Formal discovery s report including delivers executive the following: summary and detailed facts and finding from the Formal discovery Discovery phase of Report assessment. including executive summary and detailed facts and finding from Specific the recommendations, discovery phase of including assessment. justification and benefits. Specific recommendations, including justification and benefits Detailed vulnerability reports with one step remediation plans. Detailed Vulnerability reports with one step remediation plans. A A comprehensive security standards and and compliance compliance matrix matrix will be will provided be provided in accordance in with best practices. accordance with best practices. Collaborative Feedback feedback report Report to your to your IT organization IT organization through through an interactive an interactive presentation or workshop. presentation or workshop. To To conduct a a Network Technology Infrastructure service, service, Trace3 TRACE3 requires requires the following: the following: Network drawings depicting your environment. If such an as-built is not available, Trace3 offers a Network drawings Discovery depicting and Documentation your environment. service. If such an as-built is not available, TRACE3 Detailed offers information a Network on the Discovery current network and Documentation layout including service. subnet allocation, network device Detailed locations, information and IP addresses. on the current network layout including subnet allocation, network List of personnel device locations, and scheduled and IP interview addresses. times prior to project kickoff meeting. List of personnel and scheduled interview times prior to project kickoff meeting. Access to your network equipment. Access to your network equipment. A static A static and and functional network environment during during the the course course of our of discovery/data our discovery/data collection phase. collection phase. Trace3 Co-Management Risk & Compliance Solutions s Guide 2011 2010

Risk & compliances services Risk & Compliance s Please select all all that apply to to the project Compliance/ Compliance/ Risk Risk \ Sarbanes-Oxley GLBA HIPAA PCI PCI Readiness ISO 17799/27001 OWASP COBIT NSA IAM/IEM PIPEDA NERC NIST/ Best Practice Custom Vulnerability Disaster Planning Remote Remote App Config. Review App Config. Review Device Config Review Device Config Review Network Config. Review Network Config. Review Server Config. Review Server Config. Review Disaster Social Engineering Social Engineering Off Hours Off Hours Web Application Web Application DR Planning DR Planning DR Creation DR Creation DR Exercise DR Exercise Data Criticality Analysis Data Criticality Analysis Physical Physical Wireless Wireless DR Gap Analysis DR Gap Analysis DR DR Business Impact Analysis Business Impact Analysis Custom Custom Forensics Forensics Incident Response Incident Response Policy Policy Policy Creation Policy Creation Physical Security Physical Security Wireless Security Wireless Security Security Training Security Training Server Hardening Server Hardening Security Architecture Security Architecture Target State Target State Virtual CSO Virtual CSO Trace3 Co-Management Risk & Compliance Solutions s Guide 2011 2010

External Vulnerability An external vulnerability assessment will assess your environment from an external or public view to identify vulnerabilities that may allow access to confidential areas of a network, allow a denial of service to be performed, or obtain sensitive internal information. Internal Vulnerability An internal vulnerability assessment will assess your environment from the internal view of the network to identify vulnerabilities that may allow access to confidential areas of a network, allow a denial of service to be performed, or allow access to sensitive internal information. Password complexities are also verified, virus protection and patch management are assessed, and a sample number of servers and workstations are reviewed to provide recommendations on how to enhance the organization s security posture. Host & Network testing, also known as ethical hacking, is conducted to confirm the true risk of vulnerabilities identified. Through exploitation of vulnerabilities, engineers will try to gain root or administrator-level access to the target systems and/or other trusted user account access. During this process, advanced tools and custom utilities will be used to maintain availability of the servers while gaining access to potential vulnerable services. After manual verification of the information tested, we provide a mitigation plan to secure the network and prevent the information from being accessed. Application With the evolution of technology making perimeter access devices more secure and the rise in the sophistication of e-business focused attacks, the security focus has shifted to the next battlefront applications. Custom coded applications offer up addition attack vectors for hackers. Application penetration testing is directly related to testing those applications that have been custom developed or built on top of other commercial applications. Application security testing does not involve looking at hosting software such as the web servers, but rather focuses on the application software itself. Social Engineering Social engineering evaluates the ultimate weakest link in your security program by testing the security awareness and education of an organization s user population. Using specialized attacks such as phishing, random phone calls, information gathering, and tailgating, consultants are quickly able to determine where vulnerabilities exist in an organization by exploiting weaknesses in human vulnerabilities. Red Team Red Team testing is a state of the art system of exposing information security risks. This methodology quickly and directly identifies key corporate assets and their real world weakness and strengths on all levels of security posture (physical, logical, electronic, social, environmental and business process/structure). The result of this assessment enables clients to find out their true level of defense against generic and sophisticated attacks. Trace3 Co-Management Risk & Compliance Solutions s Guide 2011 2010

Risk Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity and availability of information and information systems. In its simplest form, a risk assessment consists of the identification and valuation of assets and an analysis of those assets in relation to potential threats and vulnerabilities, resulting in a ranking of risks to mitigate. The resulting information should be used to develop strategies to mitigate those risks. This assessment will include policy review, architecture review and security practice review. By taking this approach, a security control baseline will be compiled for our customer s environment. This will give the customer an understanding of the current state of security as well as an accurate roadmap to meet Sarbanes-Oxley IT security compliance. In addition to technical reviews and policy inspection, a comprehensive requirements matrix will be compiled. This matrix will show mapping to specific security requirements, as interpreted by the provider, of Sarbanes-Oxley sections 302, 404 and 802. Sarbanes- Oxley (SOX) Gramm- Leach-Bliley (GLBA) The GLBA assessment process is designed to identify, measure, manage, and control the risks to system and data availability, integrity and confidentiality, as well as to ensure accountability for system actions within financial institutions. This particular assessment will follow the guidelines as provided by GLBA and FFIEC to assess the current level of compliance to GLBA and relative security of the environment. Health Insurance Portability & Accountability Act (HIPAA) Section 164.308(a)(1) of HIPAA requires an organization to conduct the risk analysis of the organization. This analysis is required to understand the flow of e- PHI (Electronic Protected Health Information) in the organization and the result of this analysis will facilitate creation of security policies & procedures and support the recommendation to initiate the HIPAA Security Compliance related remediation activities. This assessment will enable organizations to gain a full understanding of their compliance with HIPAA, provide a gap analysis against current security controls, and provide a remediation plan to achieve full compliance. ISO 27001/7700 ISO/IEC 27001 and its related code of practice, ISO/IEC 17799, provide internationally accepted, standardized criteria to implement an effective information security management system. The basis for the standard is that information is an organization s most valuable asset. As a valued asset, information must be managed and protected from internal and external threats. In order to protect its information assets, the organization must develop sustainable security measures and integrate those measures into its business processes. ISO/IEC 27001 and ISO/IEC 17799 assessments provide strategic and tactical direction for assessing, measuring and preventing threats, as well as proposed range of security controls focused on safeguarding information assets. Trace3 Co-Management Risk & Compliance Solutions s Guide 2011 2010

Policy and Procedure A review of documented security policies for proper coverage of information security as related to ISO 17799. Through this review we will recommend additional policies/procedures and/or modifications to existing policies that have been or need to be created. Policy & Procedure Writing Assist in writing policies and procedures applicable to the business and operational needs of a network. The goal for this activity is to develop a tailored and flexible plan that is easy to use when recovery activities are activated. Specific objectives to achieve this goal include: Disaster Planning Disaster Define the components of the plan. Select team leaders, members and alternates based upon functional areas who may be involved in the plan development and initial walkthrough of the plan. Develop procedures that address and document the steps for responding to a crisis event, recovering operational capability and resuming critical business functions, and eventually restoring all functions to business as usual. Ensure important decisions are made and documented in the plan. Document relationships that will be relied upon if the company experiences a disaster, including contact names and type of assistance they may provide. Review completed plans with senior management to confirm approach and assumptions. Reassess work program and schedule and make necessary adjustments. Test facilitation and training services provide organizations with an independent, objective exercise and assist with bringing stakeholders up to speed on what they need to know. gives management confidence in the validity of their plans, and training provides for usability of plans in the hands of stakeholders who will execute them. Business Impact Analysis (BIA) The BIA process is normally conducted to help an organization identify the key systems and data relevant to sustaining business. This process is the first step in putting together an effective business continuity plan. It requires client participants to identify economic, legal, service, and other operational implications that affect their ability to deliver a service or other work product in the event of a service disruption. The BIA process helps define the results of a loss on individual locations, business units or processes in financial and operational terms. The results provide information about a business area s current ability to deal with a disruption, and the potential impacts that may be experienced if one should occur. Rogue Wireless Detection: Detect rogue wireless AP s including Direction Finding of said connection devices. Wireless Test Attempts at gaining access to wireless networks through compromising vulnerabilities in the wireless infrastructure to gain unauthorized access to networks and systems. Trace3 Co-Management Risk & Compliance Solutions s Guide 2011 2010

Wireless Architecture of the diagrams of wireless networks and protocols surrounding them for security efficacy and potential vulnerabilities. Wireless Policies & Procedures of policies and procedures pertaining to wireless networking. Conducting a gap analysis of those policies and procedures for best practices. Physical Security This assessment process begins with a characterization of the facility including identification of the undesired events and the respective critical assets. Guidance for defining a design basis threat is included, as well as the definition of the threat to estimate the likelihood of an adversary attack at a specific facility. Relative values of consequence are estimated. Methods are also included for estimating the effectiveness of the security system against the adversary attack. Finally, risk is calculated. In the event that the value of risk is deemed to be unacceptable (too high), the methodology addresses a process for identifying and evaluating security system upgrades in order to reduce risk. Forensic Analysis Complete systems analysis of live systems for forensic evidence. Hard Drives Analysis Forensics analysis of hard drives for evidence of crimes, intrusions or incidents. Such evidence can be taken to authorities and courts. Rootkit Detection Detection of rootkits, backdoors, Trojans, etc. for forensic purposes. Active Threat Defense Defending a network against an active attack (ie. DDoS, corporate espionage, counter attack, etc.) External Threat Mitigation Identify, monitor and track external threats. (Hacking, theft, harrassment, etc.) Internal Threat Mitigation Problematic internal employee or resource tracking, monitoring, and mitigation. (AUP violations, termination policy enforcement, internal hacking, etc.) Trace3 Co-Management Risk & Compliance Solutions s Guide 2011 2010

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information